India’s Draft DPDP Rules, 2025 Released for Public Review

Posted by Written by Archana Rao Reading Time: 4 minutes

India’s central government has released the draft Digital Personal Data Protection Rules (DPDP Rules), 2025, under the Digital Personal Data Protection Act, 2023. The draft, open for public feedback until February 18, 2025, outlines strict guidelines for data retention and user privacy.

On January 3, 2025, the Union Ministry of Electronics and Information Technology (MeitY) released the draft Digital Personal Data Protection Rules, or DPDP Rules, 2025, under the Digital Personal Data Protection Act, 2023 (DPDP Act). These draft rules have been made available for public review (see here for official link), inviting comments, objections, and suggestions until February 18, 2025.

The draft DPDP Rules, 2025, comprising 22 provisions and seven schedules, align with the 44 sections of the DPDP Act. It provides detailed information, such as guidelines on notice requirements, consent management, security safeguards, handling personal data breaches, and addressing data related to children and individuals with disabilities.

Key roles under the DPDP Act

  1. Data fiduciary: An entity that determines the purpose and means of processing personal data. Responsibilities include obtaining consent, ensuring data security, and enabling individuals (data principals) to exercise rights, such as access, correction, and deletion of their data.
  2. Data processor: A third party that processes data on behalf of a data fiduciary, acting solely under its instructions. Examples include payroll or cloud service providers. Data fiduciaries must ensure processors comply with legal obligations via contracts.
  3. Data principal: It means an individual whose personal data is being processed. They have rights to access, correct, delete, or withdraw consent regarding their data and seek grievance redressal.
  4. Consent manager: A third-party entity facilitating data principals in managing consent. They operate interoperable platforms, ensuring transparency, security, and compliance, under the oversight of the Data Protection Board (DP Board).

Key features of the draft DPDP Rules, 2025

The draft DPDP Rules, 2025, introduce a framework to safeguard personal data and uphold privacy rights. Below is an overview of key provisions:

Notice requirements for data fiduciaries: Data fiduciaries must issue clear, standalone notices to data principals (individuals whose data is being collected). These notices should include:

  • A detailed list of the personal data collected.
  • The purpose for processing the data.
  • An explanation of the goods, services, or uses enabled by such processing.
  • Steps for withdrawing consent, exercising rights, and filing complaints.

The notice must also provide accessible communication links to the fiduciary’s platform and describe methods for easily withdrawing consent or raising grievances, ensuring simplicity and transparency.

Consent managers: The consent managers (third-party entity or platform), responsible for facilitating data principals in managing their consent, must meet specific criteria, including:

  • Entity registered in India with a minimum net worth of INR 20 million (US$233,414).
  • An interoperable platform for managing, reviewing, and withdrawing consent.
  • High standards of transparency, security, and conflict-free operations.
  • Consent managers must secure prior approval from the DP Board before transferring control or ownership.

Data processing by the state: The state government and its agencies can process personal data to provide subsidies, benefits, services, certificates, licenses, or permits as defined by law or funded through public resources. Such processing must comply with standards outlined in Schedule II of the act, ensuring it is lawful, transparent, secure, and limited to the necessary data for these purposes.

Reasonable security safeguards: Data fiduciaries are required to implement reasonable security measures to protect personal data, including encryption, access control, monitoring for unauthorized access, data backups, etc. Contracts with data processors must ensure adherence to these security requirements.

Data breach notification: In the event of a data breach, data fiduciaries must:

  • Inform affected individuals promptly, providing details about the breach, its impact, and measures for mitigation.
  • Notify the DP Board within 72 hours of detection (or longer, if approved), sharing comprehensive information about the incident.

Accountability and compliance: The DPDP draft rules specify that data fiduciaries must process personal data lawfully, limit usage to necessary purposes, and retain data only for as long as required. They are also mandated to publish grievance redressal mechanisms on their platforms.

Data retention policies: Entities like e-commerce platforms with over 20 million users, online gaming intermediaries with over 5 million users, and social media platforms with over 20 million users must delete user data after three years unless the user actively maintains their account.

Data protection impact assessments (DPIAs): Significant data fiduciaries must conduct annual DPIAs to identify and mitigate risks in data processing activities. These assessments also ensure that algorithmic systems used do not infringe on the rights of data principals.

Find Business Support
Build Your Asia Business with Turnkey Market Entry and Cross-Regional Support

Processing of personal data outside India: Data fiduciaries processing data within India or in connection with offering goods or services to data principals from outside India must comply with any requirements the central government sets in respect of making such personal data available to a foreign state or its entities.

Exemptions for research and statistics: The draft rules exempt personal data processing for research, archiving, or statistical purposes, provided it follows the safeguards outlined in Schedule II. This allows necessary data usage for academic and policy research while maintaining protection standards.

Enforcement mechanism: The framework includes establishing the DP Board, appointing its chairperson and members, and provisions for appealing decisions through designated appellate authorities.

How the draft DPDP Rules 2025 will impact businesses, users, and regulators in India

The DPDP Rules, 2025, are expected to have a varied impact on businesses, users, and regulators, while also presenting notable challenges and concerns.

Find Business Support
Simplify compliance with Corporate Secretarial Services

According to legal experts, compliance with the new regulations will likely require substantial investments, particularly for small and medium enterprises. Organizations relying on digital data processing must implement advanced consent management systems, strengthen data security measures, and maintain transparent communication regarding users’ data rights and usage. These requirements could lead to significant operational and financial adjustments.

Smaller businesses may face difficulties in establishing consent mechanisms and meeting data localization requirements, potentially necessitating costly modifications to their platform designs and organizational architecture. 

Another area of concern is the timeline for reporting data breaches. The DPDP draft rules require breaches to be reported to the DP Board within 72 hours, conflicting with existing MeitY guidelines under India’s IT Act, 2000, which mandate reporting cyber incidents to CERT-In (a national nodal agency for responding to computer security incidents) within six hours.

For users, however, the rules offer enhanced privacy protections by providing clearer and more enforceable rights over their personal data. These measures grant users greater control over how their information is collected, processed, stored, and shared, fostering trust in digital platforms and ensuring their privacy is safeguarded.

(US$1 = INR 85.68)

About Us

India Briefing is one of five regional publications under the Asia Briefing brand. It is supported by Dezan Shira & Associates, a pan-Asia, multi-disciplinary professional services firm that assists foreign investors throughout Asia, including through offices in Delhi, Mumbai, and Bengaluru in India. Readers may write to india@dezshira.com for support on doing business in India. For a complimentary subscription to India Briefing’s content products, please click here.

Dezan Shira & Associates also maintains offices or has alliance partners assisting foreign investors in China, Hong Kong SAR, Dubai (UAE), Indonesia, Singapore, Vietnam, Philippines, Malaysia, Thailand, Bangladesh, Italy, Germany, the United States, and Australia.